SElinux and TCP Traceroute
Clash Royale CLAN TAG#URR8PPP
0
I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.
I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.
I've even tried to create my own policy e.g
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
and
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
But that doesn't seem to do anything.
If I set SElinux to permissive the traceroute runs without issue.
Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute
Any ideas??
Alerts:
SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,create
-----------------------
SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind
---------------------
SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt
------------------
SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect
-----------------
SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr
------------------
SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt
---------------
SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,read
----------------
SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,open
centos security selinux
asked Mar 5 at 18:42
turrican_34turrican_34
234
add a comment |
0
I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.
I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.
I've even tried to create my own policy e.g
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
and
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
But that doesn't seem to do anything.
If I set SElinux to permissive the traceroute runs without issue.
Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute
Any ideas??
Alerts:
SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,create
-----------------------
SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind
---------------------
SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt
------------------
SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect
-----------------
SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr
------------------
SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt
---------------
SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,read
----------------
SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,open
centos security selinux
asked Mar 5 at 18:42
turrican_34turrican_34
234
Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.
– turrican_34
Mar 5 at 19:12
Correction. With theaudit2allowpolicies installed the message is:"traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"
– turrican_34
Mar 5 at 19:21
add a comment |
0
0
0
I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.
I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.
I've even tried to create my own policy e.g
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
and
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
But that doesn't seem to do anything.
If I set SElinux to permissive the traceroute runs without issue.
Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute
Any ideas??
Alerts:
SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,create
-----------------------
SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind
---------------------
SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt
------------------
SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect
-----------------
SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr
------------------
SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt
---------------
SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,read
----------------
SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,open
centos security selinux
asked Mar 5 at 18:42
turrican_34turrican_34
234
I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.
I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.
I've even tried to create my own policy e.g
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
and
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
But that doesn't seem to do anything.
If I set SElinux to permissive the traceroute runs without issue.
Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute
Any ideas??
Alerts:
SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,create
-----------------------
SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind
---------------------
SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt
------------------
SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect
-----------------
SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr
------------------
SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt
---------------
SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,read
----------------
SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,open
centos security selinux
centos security selinux
asked Mar 5 at 18:42
turrican_34turrican_34
234
asked Mar 5 at 18:42
turrican_34turrican_34
234
edited Mar 5 at 19:32
turrican_34
asked Mar 5 at 18:42
turrican_34turrican_34
234
asked Mar 5 at 18:42
turrican_34turrican_34
234
asked Mar 5 at 18:42
turrican_34turrican_34
234
234
Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.
– turrican_34
Mar 5 at 19:12
Correction. With theaudit2allowpolicies installed the message is:"traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"
– turrican_34
Mar 5 at 19:21
add a comment |
Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.
– turrican_34
Mar 5 at 19:12
Correction. With theaudit2allowpolicies installed the message is:"traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"
– turrican_34
Mar 5 at 19:21
Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.
– turrican_34
Mar 5 at 19:12
Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.
– turrican_34
Mar 5 at 19:12
Correction. With the
audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"– turrican_34
Mar 5 at 19:21
Correction. With the
audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"– turrican_34
Mar 5 at 19:21
add a comment |
1 Answer
1
active
oldest
votes
1
I've figured this out myself so I'll answer my own question.
The answer was to do both of the things I'd already tried in the OP, but use them together.
Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.
So, to get it working first use audit2allow to create a policy from the alerts.ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
then runsemodule -i my-traceroute.pp
Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.
Create a file called traceroute.tt and add the following to it:
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
Then run the following commands (as root user):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
Done :)
answered Mar 5 at 21:11
turrican_34turrican_34
234
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504562%2fselinux-and-tcp-traceroute%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
I've figured this out myself so I'll answer my own question.
The answer was to do both of the things I'd already tried in the OP, but use them together.
Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.
So, to get it working first use audit2allow to create a policy from the alerts.ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
then runsemodule -i my-traceroute.pp
Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.
Create a file called traceroute.tt and add the following to it:
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
Then run the following commands (as root user):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
Done :)
answered Mar 5 at 21:11
turrican_34turrican_34
234
add a comment |
1
I've figured this out myself so I'll answer my own question.
The answer was to do both of the things I'd already tried in the OP, but use them together.
Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.
So, to get it working first use audit2allow to create a policy from the alerts.ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
then runsemodule -i my-traceroute.pp
Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.
Create a file called traceroute.tt and add the following to it:
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
Then run the following commands (as root user):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
Done :)
answered Mar 5 at 21:11
turrican_34turrican_34
234
add a comment |
1
1
1
I've figured this out myself so I'll answer my own question.
The answer was to do both of the things I'd already tried in the OP, but use them together.
Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.
So, to get it working first use audit2allow to create a policy from the alerts.ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
then runsemodule -i my-traceroute.pp
Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.
Create a file called traceroute.tt and add the following to it:
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
Then run the following commands (as root user):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
Done :)
answered Mar 5 at 21:11
turrican_34turrican_34
234
I've figured this out myself so I'll answer my own question.
The answer was to do both of the things I'd already tried in the OP, but use them together.
Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.
So, to get it working first use audit2allow to create a policy from the alerts.ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
then runsemodule -i my-traceroute.pp
Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.
Create a file called traceroute.tt and add the following to it:
module traceroute 1.0;
require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;
Then run the following commands (as root user):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
Done :)
answered Mar 5 at 21:11
turrican_34turrican_34
234
answered Mar 5 at 21:11
turrican_34turrican_34
234
answered Mar 5 at 21:11
turrican_34turrican_34
234
answered Mar 5 at 21:11
turrican_34turrican_34
234
234
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504562%2fselinux-and-tcp-traceroute%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.
– turrican_34
Mar 5 at 19:12
Correction. With the
audit2allowpolicies installed the message is:"traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"– turrican_34
Mar 5 at 19:21